[Freeipa-users] Re: Greenfield FreeIPA deployment - is it OK to put FreeIPA at the domain apex, or a "best practice" to put it in a subdomain?

Alexander Bokovoy via FreeIPA-users Tue, 12 Jan 2021 11:53:08 -0800

On ti, 12 tammi 2021, Braden McGrath via FreeIPA-users wrote:

Alexander, I appreciate your reply :)

I run my home's FreeIPA deployment at 'example.net' and rely on firewalls
and external DNS server to provide a safer outer view to it. There is
nothing wrong with this approach -- as well as with 'ipa.example.net'
approach either.


Let us assume I have no other DNS servers at all for 'example.net'. If
I put the FreeIPA root at 'ipa.example.net', is it possible to add the
"parent"  'example.net' as an authoritative domain in FreeIPA's DNS
server? Or can it only manage and serve DNS for its own subdomain and
others below it? I'm sorry if this is a basic / stupid question, I
haven't had to deal with BIND in over a decade, and I don't know how
much the FreeIPA integration changes what can be done (I'm 99% sure
that BIND on its own can do this).


Any DNS zone for which IPA DNS server could be authoritative can be
handled. It cannot be a slave DNS server or cannot handle DNS views but
other than that there are no limitations on what the zone name could be.

For example,

[root@m1 ~]# ipa dnszone-add my-top-level.
  Zone name: my-top-level.
  Active zone: TRUE
  Authoritative nameserver: m1.ipa1.test.
  Administrator e-mail address: hostmaster
  SOA serial: 1610480726
  SOA refresh: 3600
  SOA retry: 900
  SOA expire: 1209600
  SOA minimum: 3600
  BIND update policy: grant IPA1.TEST krb5-self * A; grant IPA1.TEST krb5-self 
* AAAA; grant IPA1.TEST krb5-self * SSHFP;
  Dynamic update: FALSE
  Allow query: any;
  Allow transfer: none;
[root@m1 ~]# ipa dnszone-add test.my-top-level.
  Zone name: test.my-top-level.
  Active zone: TRUE
  Authoritative nameserver: m1.ipa1.test.
  Administrator e-mail address: hostmaster
  SOA serial: 1610480741
  SOA refresh: 3600
  SOA retry: 900
  SOA expire: 1209600
  SOA minimum: 3600
  BIND update policy: grant IPA1.TEST krb5-self * A; grant IPA1.TEST krb5-self 
* AAAA; grant IPA1.TEST krb5-self * SSHFP;
  Dynamic update: FALSE
  Allow query: any;
  Allow transfer: none;
[root@m1 ~]# ipa dnszone-find
  Zone name: my-top-level.
  Active zone: TRUE
  Authoritative nameserver: m1.ipa1.test.
  Administrator e-mail address: hostmaster
  SOA serial: 1610480727
  SOA refresh: 3600
  SOA retry: 900
  SOA expire: 1209600
  SOA minimum: 3600
  BIND update policy: grant IPA1.TEST krb5-self * A; grant IPA1.TEST krb5-self 
* AAAA; grant IPA1.TEST krb5-self * SSHFP;
  Dynamic update: FALSE
  Allow query: any;
  Allow transfer: none;

  Zone name: test.my-top-level.
  Active zone: TRUE
  Authoritative nameserver: m1.ipa1.test.
  Administrator e-mail address: hostmaster
  SOA serial: 1610480743
  SOA refresh: 3600
  SOA retry: 900
  SOA expire: 1209600
  SOA minimum: 3600
  BIND update policy: grant IPA1.TEST krb5-self * A; grant IPA1.TEST krb5-self 
* AAAA; grant IPA1.TEST krb5-self * SSHFP;
  Dynamic update: FALSE
  Allow query: any;
  Allow transfer: none;

  Zone name: ipa1.test.
  Active zone: TRUE
  Authoritative nameserver: m1.ipa1.test.
  Administrator e-mail address: hostmaster.ipa1.test.
  SOA serial: 1610393570
  SOA refresh: 3600
  SOA retry: 900
  SOA expire: 1209600
  SOA minimum: 3600
  BIND update policy: grant IPA1.TEST krb5-self * A; grant IPA1.TEST krb5-self * AAAA; 
grant IPA1.TEST krb5-self * SSHFP; grant "rndc-key" zonesub ANY;
  Dynamic update: TRUE
  Allow query: any;
  Allow transfer: none;
----------------------------
Number of entries returned 3
----------------------------

[root@m1 ~]# dig -t any +nostats +nocomments my-top-level. test.my-top-level.

; <<>> DiG 9.11.25-RedHat-9.11.25-2.fc34 <<>> -t any +nostats +nocomments 
my-top-level. test.my-top-level.
;; global options: +cmd
;my-top-level.                  IN      ANY
my-top-level.           86400   IN      NS      m1.ipa1.test.
my-top-level.           86400   IN      SOA     m1.ipa1.test. 
hostmaster.my-top-level. 1610480727 3600 900 1209600 3600
;test.my-top-level.             IN      ANY
test.my-top-level.      86400   IN      NS      m1.ipa1.test.
test.my-top-level.      86400   IN      SOA     m1.ipa1.test. 
hostmaster.test.my-top-level. 1610480743 3600 900 1209600 3600

--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/[email protected]

[Freeipa-users] Re: Greenfield FreeIPA deployment - is it OK to put FreeIPA at the domain apex, or a "best practice" to put it in a subdomain?

Reply via email to